- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add new Lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add new Lookup?
I am working to leverage the below query for 'Stale Account Usage' from Splunk Security Essentials Docs, which uses lookup "account_status_tracker".
The 'How to Implement' guidance includes: "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. "
From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me.
My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"? When I select existing authentication-related files as the "Lookup File", I receive error messages, for example: "Cannot find the destination field 'count' in the lookup table...
And leads greatly appreciated.
index=* source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-90d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker
| where this_only_exists_to_update_the_lookup='so we will make sure there are no results']
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually, the first step to adding a lookup is to put a CSV file on the server in one of Splunk's 'lookups' directories. Then use the GUI to reference that file.
You also can use the Lookup File Editor app to create a new lookup file from the GUI.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway: Thank you. After reading the guidance, "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in CIM format" I grabbed the current authentication CIM (Authentication - Splunk Documentation), but then held off on pushing to create the lookup. For example, I noticed that while the lookup will attempt to OUTPUT field "count", the authentication CIM does not include a "count" field. So, I was just taking a step back and seeing if there is any other information needed to best implement this solution.
Again, thank you.
Unleash Unified Security and Observability with Splunk Cloud Platform
Splunk AppDynamics with Cisco Secure Application
New Splunk Innovations Enhance Performance and Accelerate Troubleshooting
